Hi, can a CVE be assigned to the following issue?
The lxml.html.clean module cleans up HTML by removing embedded or script content, special tags, CSS style annotations and much more. It was found [1] that the clean_html() function, provided by the lxml.html.clean module, did not properly clean HTML input if it included non-printed characters (\x01-\x08). A remote attacker could use this flaw to serve malicious content to an application using the clean_html() function to process HTML, possibly allowing the attacker to inject malicious code into a website generated by this application.
This issue has been reported upstream at [2] and a patch is available at [3].
[1] http://seclists.org/fulldisclosure/2014/Apr/210
[2] https://mailman-mail5.webfaction.com/pipermail/lxml/2014-April/007128.html
[3] https://github.com/lxml/lxml/commit/e86b294f1f81b899a59925123560ff924a72f1cc
Red Hat Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1092613
– Martin Prpic / Red Hat Security Response Team